Uber has addressed a vulnerability that allowed attackers to steal session tokens and hijack accounts.
Researcher Arne Swinnen disclosed details Monday after confirming late last week that the issue had been resolved; he earned $5,000 in bounties from Uber. Swinnen said that if exploited at a large scale, an attacker could steal victim data hosted on Uber systems.
The problem was found in a homebrewed single sign-on implementation that allowed Swinnen to steal session cookies through a compromised subdomain, saotastic.uber.com.
“Uber used to host this subdomain on Amazon CloudFront, but not anymore now. They forgot to remove the DNS CNAME record, which pointed the hostname to one of Amazon’s servers, which ultimately allowed me to hijack it,” Swinnen explained.
In his disclosure, Swinnen said Uber’s recently deployed SSO system is based on shared cookies between all Uber subdomains. He found a vulnerability that allowed attackers to steal session cookies through the compromised subdomain.
“Therefore, the impact of the subdomain takeover could be increased to Authentication Bypass of Uber’s full SSO system, yielding access to all *.uber.com subdomains protected by it (e.g. vault.uber.com, partners.uber.com, riders.uber.com, etc),” he wrote.
The custom solution, Swinnen said, replaced OAUTH as Uber’s single sign-on tool for subdomains. Any subdomain that requires authentication redirects to auth-uber.com, and that SSO system logs users in transparently to other subdomains by issuing temporary session cookies.
Swinnen wrote that he was able to bypass some countermeasures Uber had in place to prevent the abuse of a any Uber subdomain to steal valid session cookies. Swinnen said that an attacker would need zero prior knowledge of the victim or their credentials, only that they be lured to a website under the attacker’s control and be authenticated to an Uber subdomain.
“A user is logged in to any *.uber.com website in their browser and then visits a website in a second browser tab that is partly under the control by the attacker (e.g. an advertisement on a popular website),” Swinnen said. “From that moment on, the attacker can steal victim session tokens stealthily and become authenticated on any *.uber.com subdomain as the victim, from the attacker’s system.”
Compromising the saotastic subdomain was key, Swinnen said, which he did as part of his proof of concept.
Swinnen explains how his bypass worked in the report, and demonstrates it in a video, below. He also shared PoC code in his report.
Swinnen privately disclosed on April 4, submitting along with his bug report a number of steps recommended to address the vulnerabilities starting with the removal of the dangling CNAME to the Amazon CloudFront CDN. He also recommended reverting back to OAUTH2, or implementing IP address checks where Uber verifies that users providing a shared session cookie to providers on *.uber.com have the same external IP address, which would prevent such relay attacks.
Uber removed the DNS CNAME record on June 6 for the subdomain in question, and last Friday deployed IP address checking.